Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
CVE-2025-11371 represents a critical unauthenticated Local File Inclusion vulnerability affecting Gladinet CentreStack and Triofox platforms through version 16.7.10368.56560. This Gladinet vulnerability enables remote attackers to read sensitive configuration files without authentication, exposing critical security credentials. The CentreStack security flaw has been actively exploited since September 27, 2025, when threat actors compromised systems through this newly discovered LFI route. The Gladinet LFI vulnerability allows attackers to extract machine keys from Web.config files, which can then be weaponized with CVE-2025-30406 to achieve remote code execution. This critical vulnerability chain poses severe risks to organizations running affected Gladinet CentreStack and Triofox file sharing platforms. Patches addressing this Gladinet security vulnerability were released in version 16.10.10408.56683, and immediate updates are strongly recommended for all deployments.
CVE-2025-11371 is an unauthenticated Local File Inclusion vulnerability affecting Gladinet CentreStack and Triofox file sharing and remote access platforms in default configurations up to version 16.7.10368.56560. This Gladinet vulnerability allows attackers with network access to read arbitrary files on target systems, including sensitive configuration files such as Web.config. The CentreStack LFI vulnerability has been actively exploited in the wild since September 27, 2025, when a CentreStack instance running a version already patched against CVE-2025-30406 was compromised through this newly discovered LFI route.
Through this Gladinet security flaw, attackers extract the machine key from Web.config, a crucial secret used in ASP.NET ViewState validation. This enables threat actors to craft malicious ViewState payloads that exploit CVE-2025-30406, a deserialization vulnerability tied to predictable machine keys, achieving remote code execution. While the LFI vulnerability primarily threatens confidentiality, its ability to be chained to an RCE path makes the Gladinet CentreStack vulnerability far more severe.
CVE-2025-11371 carries a CVSS score around 6.1, reflecting the moderate inherent risk of file disclosure alone. However, the overall impact escalates sharply when the disclosed machine key is weaponized through the ViewState exploit. The vulnerability affects all Gladinet CentreStack and Triofox versions prior to and including 16.7.10368.56560, mapped to CWE-552 (Files or Directories Accessible to External Parties). CVE-2025-30406, the companion vulnerability in the attack chain, affects Gladinet CentreStack versions prior to 16.4.10315.56368 and Gladinet Triofox versions prior to 16.4.10317.56372, mapped to CWE-321 (Use of Hard-coded Cryptographic Key).
Both CVE-2025-11371 and CVE-2025-30406 were exploited as zero-day vulnerabilities and have been added to the CISA Known Exploited Vulnerabilities catalog. Gladinet released a patch in mid-October 2025 (version 16.10.10408.56683) addressing the CentreStack vulnerability and mitigating the attack chain. All CentreStack and Triofox deployments running earlier builds should be updated immediately, and any system previously exposed should have its machine key and credentials rotated to prevent post-compromise persistence.
Organizations should immediately disable the “temp” handler in the UploadDownloadProxy section of the Web.config file in Gladinet CentreStack and TrioFox installations. This critical mitigation involves removing or commenting out the line referencing Gladinet.Cloud.Proxy.TempHandler in Web.config. This configuration change blocks unauthenticated access to the vulnerable file inclusion endpoint, preventing exploitation of the Gladinet Local File Inclusion flaw.
Since the LFI vulnerability is exploited to steal the ASP.NET machine key, security teams must immediately rotate the machine key, even if systems were previously patched for CVE-2025-30406. Rotating the machine key invalidates any malicious ViewState payloads attackers might craft and breaks the final stage of the RCE attack chain. This security measure requires an IIS reset after implementing the key change.
Organizations should restrict network access to CentreStack and Triofox web services, particularly the affected UploadDownloadProxy endpoint, to trusted users or internal networks only. Implementing robust access controls reduces external exposure and minimizes the attack surface, making it significantly harder for unauthenticated remote attackers to initiate the LFI and subsequent RCE exploit against Gladinet platforms.
Security teams should actively monitor server logs for suspicious read requests targeting sensitive configuration files like Web.config or for unusual, irregular base64-encoded ViewState payloads. Implementing comprehensive logging and monitoring solutions enables early detection of exploitation attempts against the Gladinet vulnerability and facilitates rapid incident response.
The CVE-2025-11371 Gladinet vulnerability exploitation aligns with multiple MITRE ATT&CK tactics and techniques:
Initial Access and Execution:
Credential Access and Discovery:
Privilege Escalation and Resource Development:
Organizations should upgrade Gladinet CentreStack and Triofox to version 16.10.10408.56683 or later to remediate the critical Local File Inclusion vulnerability.
The companion CVE-2025-30406 vulnerability is fixed in the following versions:
Complete patch information and downloads are available at: https://www.centrestack.com/p/gce_latest_release.html
Threat Level: Red
Report Generated: October 13, 2025
Get through updates and upcoming events, and more directly in your inbox